hono 4.12.3 → 4.12.5

package/dist/adapter/aws-lambda/handler.js

@@ -137,7 +137,7 @@ var EventProcessor = class {
     }
     return result;
   }
-  setCookies(event, res, result) {
+  setCookies(_event, res, result) {
     if (res.headers.has("set-cookie")) {
       const cookies = res.headers.getSetCookie ? res.headers.getSetCookie() : Array.from(res.headers.entries()).filter(([k]) => k === "set-cookie").map(([, v]) => v);
       if (Array.isArray(cookies)) {

package/dist/cjs/adapter/aws-lambda/handler.js

@@ -168,7 +168,7 @@ class EventProcessor {
     }
     return result;
   }
-  setCookies(event, res, result) {
+  setCookies(_event, res, result) {
     if (res.headers.has("set-cookie")) {
       const cookies = res.headers.getSetCookie ? res.headers.getSetCookie() : Array.from(res.headers.entries()).filter(([k]) => k === "set-cookie").map(([, v]) => v);
       if (Array.isArray(cookies)) {

package/dist/cjs/helper/streaming/sse.js

@@ -34,6 +34,11 @@ class SSEStreamingApi extends import_stream.StreamingApi {
     const dataLines = data.split(/\r\n|\r|\n/).map((line) => {
       return `data: ${line}`;
     }).join("\n");
+    for (const key of ["event", "id", "retry"]) {
+      if (message[key] && /[\r\n]/.test(message[key])) {
+        throw new Error(`${key} must not contain "\\r" or "\\n"`);
+      }
+    }
     const sseData = [
       message.event && `event: ${message.event}`,
       dataLines,

package/dist/cjs/jsx/streaming.js

@@ -113,6 +113,7 @@ d.replaceWith(c.content)
 Suspense[import_constants.DOM_RENDERER] = import_components2.Suspense;
 const textEncoder = new TextEncoder();
 const renderToReadableStream = (content, onError = console.trace) => {
+  let cancelled = false;
   const reader = new ReadableStream({
     async start(controller) {
       try {
@@ -126,7 +127,9 @@ const renderToReadableStream = (content, onError = console.trace) => {
           true,
           context
         );
-        controller.enqueue(textEncoder.encode(resolved));
+        if (!cancelled) {
+          controller.enqueue(textEncoder.encode(resolved));
+        }
         let resolvedCount = 0;
         const callbacks = [];
         const then = (promise) => {
@@ -144,7 +147,9 @@ const renderToReadableStream = (content, onError = console.trace) => {
               );
               res.callbacks?.map((c) => c({ phase: import_html2.HtmlEscapedCallbackPhase.Stream, context })).filter(Boolean).forEach(then);
               resolvedCount++;
-              controller.enqueue(textEncoder.encode(res));
+              if (!cancelled) {
+                controller.enqueue(textEncoder.encode(res));
+              }
             })
           );
         };
@@ -155,7 +160,12 @@ const renderToReadableStream = (content, onError = console.trace) => {
       } catch (e) {
         onError(e);
       }
-      controller.close();
+      if (!cancelled) {
+        controller.close();
+      }
+    },
+    cancel() {
+      cancelled = true;
     }
   });
   return reader;

package/dist/cjs/middleware/serve-static/index.js

@@ -23,6 +23,7 @@ __export(serve_static_exports, {
 module.exports = __toCommonJS(serve_static_exports);
 var import_compress = require("../../utils/compress");
 var import_mime = require("../../utils/mime");
+var import_url = require("../../utils/url");
 var import_path = require("./path");
 const ENCODINGS = {
   br: ".br",
@@ -44,7 +45,7 @@ const serveStatic = (options) => {
       filename = options.path;
     } else {
       try {
-        filename = decodeURIComponent(c.req.path);
+        filename = (0, import_url.tryDecodeURI)(c.req.path);
         if (/(?:^|[\/\\])\.\.(?:$|[\/\\])/.test(filename)) {
           throw new Error();
         }

package/dist/cjs/utils/cookie.js

@@ -112,6 +112,11 @@ const _serialize = (name, value, opt = {}) => {
       throw new Error("__Host- Cookie must not have Domain attributes");
     }
   }
+  for (const key of ["domain", "path"]) {
+    if (opt[key] && /[;\r\n]/.test(opt[key])) {
+      throw new Error(`${key} must not contain ";", "\\r", or "\\n"`);
+    }
+  }
   if (opt && typeof opt.maxAge === "number" && opt.maxAge >= 0) {
     if (opt.maxAge > 3456e4) {
       throw new Error(

package/dist/cjs/utils/jwt/jwt.js

@@ -177,10 +177,13 @@ const verifyWithJwks = async (token, options, init) => {
   });
 };
 const decode = (token) => {
+  const parts = token.split(".");
+  if (parts.length !== 3) {
+    throw new import_types.JwtTokenInvalid(token);
+  }
   try {
-    const [h, p] = token.split(".");
-    const header = decodeJwtPart(h);
-    const payload = decodeJwtPart(p);
+    const header = decodeJwtPart(parts[0]);
+    const payload = decodeJwtPart(parts[1]);
     return {
       header,
       payload
@@ -190,9 +193,12 @@ const decode = (token) => {
   }
 };
 const decodeHeader = (token) => {
+  const parts = token.split(".");
+  if (parts.length !== 3) {
+    throw new import_types.JwtTokenInvalid(token);
+  }
   try {
-    const [h] = token.split(".");
-    return decodeJwtPart(h);
+    return decodeJwtPart(parts[0]);
   } catch {
     throw new import_types.JwtTokenInvalid(token);
   }

package/dist/cjs/utils/url.js

@@ -29,7 +29,8 @@ __export(url_exports, {
   mergePath: () => mergePath,
   splitPath: () => splitPath,
   splitRoutingPath: () => splitRoutingPath,
-  tryDecode: () => tryDecode
+  tryDecode: () => tryDecode,
+  tryDecodeURI: () => tryDecodeURI
 });
 module.exports = __toCommonJS(url_exports);
 const splitPath = (path) => {
@@ -251,5 +252,6 @@ const decodeURIComponent_ = decodeURIComponent;
   mergePath,
   splitPath,
   splitRoutingPath,
-  tryDecode
+  tryDecode,
+  tryDecodeURI
 });

package/dist/helper/streaming/sse.js

@@ -11,6 +11,11 @@ var SSEStreamingApi = class extends StreamingApi {
     const dataLines = data.split(/\r\n|\r|\n/).map((line) => {
       return `data: ${line}`;
     }).join("\n");
+    for (const key of ["event", "id", "retry"]) {
+      if (message[key] && /[\r\n]/.test(message[key])) {
+        throw new Error(`${key} must not contain "\\r" or "\\n"`);
+      }
+    }
     const sseData = [
       message.event && `event: ${message.event}`,
       dataLines,

package/dist/jsx/streaming.js

@@ -89,6 +89,7 @@ d.replaceWith(c.content)
 Suspense[DOM_RENDERER] = SuspenseDomRenderer;
 var textEncoder = new TextEncoder();
 var renderToReadableStream = (content, onError = console.trace) => {
+  let cancelled = false;
   const reader = new ReadableStream({
     async start(controller) {
       try {
@@ -102,7 +103,9 @@ var renderToReadableStream = (content, onError = console.trace) => {
           true,
           context
         );
-        controller.enqueue(textEncoder.encode(resolved));
+        if (!cancelled) {
+          controller.enqueue(textEncoder.encode(resolved));
+        }
         let resolvedCount = 0;
         const callbacks = [];
         const then = (promise) => {
@@ -120,7 +123,9 @@ var renderToReadableStream = (content, onError = console.trace) => {
               );
               res.callbacks?.map((c) => c({ phase: HtmlEscapedCallbackPhase.Stream, context })).filter(Boolean).forEach(then);
               resolvedCount++;
-              controller.enqueue(textEncoder.encode(res));
+              if (!cancelled) {
+                controller.enqueue(textEncoder.encode(res));
+              }
             })
           );
         };
@@ -131,7 +136,12 @@ var renderToReadableStream = (content, onError = console.trace) => {
       } catch (e) {
         onError(e);
       }
-      controller.close();
+      if (!cancelled) {
+        controller.close();
+      }
+    },
+    cancel() {
+      cancelled = true;
     }
   });
   return reader;

package/dist/middleware/serve-static/index.js

@@ -1,6 +1,7 @@
 // src/middleware/serve-static/index.ts
 import { COMPRESSIBLE_CONTENT_TYPE_REGEX } from "../../utils/compress.js";
 import { getMimeType } from "../../utils/mime.js";
+import { tryDecodeURI } from "../../utils/url.js";
 import { defaultJoin } from "./path.js";
 var ENCODINGS = {
   br: ".br",
@@ -22,7 +23,7 @@ var serveStatic = (options) => {
       filename = options.path;
     } else {
       try {
-        filename = decodeURIComponent(c.req.path);
+        filename = tryDecodeURI(c.req.path);
         if (/(?:^|[\/\\])\.\.(?:$|[\/\\])/.test(filename)) {
           throw new Error();
         }

package/dist/types/adapter/aws-lambda/handler.d.ts

@@ -138,7 +138,7 @@ export declare abstract class EventProcessor<E extends LambdaEvent> {
     protected getDomainName(event: E): string | undefined;
     createRequest(event: E): Request;
     createResult(event: E, res: Response, options: Pick<HandleOptions, 'isContentTypeBinary'>): Promise<APIGatewayProxyResult>;
-    setCookies(event: E, res: Response, result: APIGatewayProxyResult): void;
+    setCookies(_event: E, res: Response, result: APIGatewayProxyResult): void;
 }
 export declare class EventV2Processor extends EventProcessor<APIGatewayProxyEventV2> {
     protected getPath(event: APIGatewayProxyEventV2): string;

package/dist/types/client/types.d.ts

@@ -1,7 +1,7 @@
 import type { Hono } from '../hono';
 import type { HonoBase } from '../hono-base';
 import type { METHODS, METHOD_NAME_ALL_LOWERCASE } from '../router';
-import type { Endpoint, KnownResponseFormat, ResponseFormat, Schema } from '../types';
+import type { Endpoint, ExtractSchema, KnownResponseFormat, ResponseFormat, Schema } from '../types';
 import type { StatusCode, SuccessStatusCode } from '../utils/http-status';
 import type { HasRequiredKeys } from '../utils/types';
 /**
@@ -205,5 +205,5 @@ type ModSchema<D, Def extends GlobalResponseDefinition> = {
         [M in keyof D[K]]: ModRoute<D[K][M], Def>;
     };
 };
-export type ApplyGlobalResponse<App, Def extends GlobalResponseDefinition> = App extends HonoBase<infer E, infer D extends Schema, infer B> ? Hono<E, ModSchema<D, Def> extends Schema ? ModSchema<D, Def> : never, B> : never;
+export type ApplyGlobalResponse<App, Def extends GlobalResponseDefinition> = App extends HonoBase<infer E, infer _ extends Schema, infer B> ? ModSchema<ExtractSchema<App>, Def> extends infer S extends Schema ? Hono<E, S, B> : never : never;
 export {};

package/dist/types/request.d.ts

@@ -59,7 +59,7 @@ export declare class HonoRequest<P extends string = '/', I extends Input['out']
      * const { id, comment_id } = c.req.param()
      * ```
      */
-    param<P2 extends ParamKeys<P> = ParamKeys<P>>(key: P2 extends `${infer _}?` ? never : P2): string;
+    param<P2 extends ParamKeys<P> = ParamKeys<P>>(key: string extends P ? never : P2 extends `${infer _}?` ? never : P2): string;
     param<P2 extends RemoveQuestion<ParamKeys<P>> = RemoveQuestion<ParamKeys<P>>>(key: P2): string | undefined;
     param(key: string): string | undefined;
     param<P2 extends string = P>(): Simplify<UnionToIntersection<ParamKeyToRecord<ParamKeys<P2>>>>;

package/dist/types/utils/url.d.ts

@@ -8,6 +8,16 @@ export declare const splitRoutingPath: (routePath: string) => string[];
 export declare const getPattern: (label: string, next?: string) => Pattern | null;
 type Decoder = (str: string) => string;
 export declare const tryDecode: (str: string, decoder: Decoder) => string;
+/**
+ * Try to apply decodeURI() to given string.
+ * If it fails, skip invalid percent encoding or invalid UTF-8 sequences, and apply decodeURI() to the rest as much as possible.
+ * @param str The string to decode.
+ * @returns The decoded string that sometimes contains undecodable percent encoding.
+ * @example
+ * tryDecodeURI('Hello%20World') // 'Hello World'
+ * tryDecodeURI('Hello%20World/%A4%A2') // 'Hello World/%A4%A2'
+ */
+export declare const tryDecodeURI: (str: string) => string;
 export declare const getPath: (request: Request) => string;
 export declare const getQueryStrings: (url: string) => string;
 export declare const getPathNoStrict: (request: Request) => string;

package/dist/utils/cookie.js

@@ -87,6 +87,11 @@ var _serialize = (name, value, opt = {}) => {
       throw new Error("__Host- Cookie must not have Domain attributes");
     }
   }
+  for (const key of ["domain", "path"]) {
+    if (opt[key] && /[;\r\n]/.test(opt[key])) {
+      throw new Error(`${key} must not contain ";", "\\r", or "\\n"`);
+    }
+  }
   if (opt && typeof opt.maxAge === "number" && opt.maxAge >= 0) {
     if (opt.maxAge > 3456e4) {
       throw new Error(

package/dist/utils/jwt/jwt.js

@@ -165,10 +165,13 @@ var verifyWithJwks = async (token, options, init) => {
   });
 };
 var decode = (token) => {
+  const parts = token.split(".");
+  if (parts.length !== 3) {
+    throw new JwtTokenInvalid(token);
+  }
   try {
-    const [h, p] = token.split(".");
-    const header = decodeJwtPart(h);
-    const payload = decodeJwtPart(p);
+    const header = decodeJwtPart(parts[0]);
+    const payload = decodeJwtPart(parts[1]);
     return {
       header,
       payload
@@ -178,9 +181,12 @@ var decode = (token) => {
   }
 };
 var decodeHeader = (token) => {
+  const parts = token.split(".");
+  if (parts.length !== 3) {
+    throw new JwtTokenInvalid(token);
+  }
   try {
-    const [h] = token.split(".");
-    return decodeJwtPart(h);
+    return decodeJwtPart(parts[0]);
   } catch {
     throw new JwtTokenInvalid(token);
   }

package/dist/utils/url.js

@@ -217,5 +217,6 @@ export {
   mergePath,
   splitPath,
   splitRoutingPath,
-  tryDecode
+  tryDecode,
+  tryDecodeURI
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hono",
-  "version": "4.12.3",
+  "version": "4.12.5",
   "description": "Web framework built on Web Standards",
   "main": "dist/cjs/index.js",
   "type": "module",
@@ -656,7 +656,7 @@
     "nodejs"
   ],
   "devDependencies": {
-    "@hono/eslint-config": "^2.0.5",
+    "@hono/eslint-config": "^2.1.0",
     "@hono/node-server": "^1.13.5",
     "@types/glob": "^9.0.0",
     "@types/jsdom": "^21.1.7",
@@ -667,7 +667,7 @@
     "bun-types": "^1.2.20",
     "editorconfig-checker": "6.1.1",
     "esbuild": "^0.27.1",
-    "eslint": "9.39.1",
+    "eslint": "^9.39.3",
     "glob": "^11.0.0",
     "jsdom": "22.1.0",
     "msw": "^2.6.0",